Research-Human-Subjects-HIPAA-IRB by liujizheng


									        HIPAA’s Privacy Rule:
        Research and the IRB

               October 15, 2002
Rodney Johnson
Office of the General Counsel
      The Health Insurance Portability and
           Accountability Act of 1996
    • HIPAA Privacy Rule, 45 CFR Parts 160 and 164
      (Final Rule 65 Fed.Reg. 82462, December 22, 2000;
      Amended 67 Fed.Reg. 53181, August 14, 2002).

    • Covered entities must comply with HIPAA’s privacy
      rule by April 14, 2003.

    • The Fear - Once patients’ records are stored electronically
      on networks, a couple of clicks can transmit those records
      all over the world!

         Entities Covered By HIPAA’s
                  Privacy Rule
    • HIPAA regulates “covered entities”
    • “Covered entity” means:
       • a health care provider who transmits any health
         information in electronic form in connection with
         a transaction covered by HIPAA;
       • a health plan (e.g., employer sponsor of
         employee health plan); or
       • a health care clearinghouse (e.g., billing agent).

           The Hybrid Entity Concept –
             Section 164.504(a) – (c)
    • A hybrid entity is a single legal entity whose business
      activities include both non-covered and covered
    • Stanford will choose to be treated as a hybrid entity.
    • The hybrid entity must formally designate its health care
      components, which must include:
       (1) those components that perform covered functions,
       (2) those components that perform support functions for
           the entity’s covered functions that involve the use or
           disclosure of PHI.
           The Hybrid Entity Concept

    • A hybrid entity is required to impose certain
      safeguards/firewalls between health care and non-
      health care components. It is responsible for
      assuring that its “health care components” comply
      with HIPAA’s standards and do not share PHI with
      its “non-health care components,” absent patient

          Affiliated Covered Entities –
           Section 164.504(a) and (d)

    • Legally separate covered entities that are under
      common ownership or control may designate
      themselves as a single covered entity for purposes of
      HIPAA compliance.
    • Since Stanford, SHC, LPCH are three separate
      legal entities but have common control, they will
      elect to be treated as a single covered entity for
      HIPAA purposes – a “single affiliated entity.”

            Basic HIPAA Privacy Rule –
                 Section 164.502(a)
    • Basic Rule: A Covered Entity may not use or disclose
      protected health information (“PHI”) in any form except
      as consented to or authorized by the patient or as
      permitted by the regulations.

    • Prior Rule: State law generally governed the confidentiality
      of medical information.

    • Preemption: HIPAA now preempts state confidentiality laws
      unless they are stricter, such as, mental health records or HIV
      test results.

            Basic HIPAA Privacy Rule
    HIPAA’s Privacy Rule introduces new standards
    for uses (i.e., internal to covered entity) and
    disclosures (i.e., external to covered entity) of PHI:
       • Treatment, Payment and Health Care
         Operations (e.g., education programs. QA)
       • All Other Uses & Disclosures, including
         Research, Marketing, Fundraising
       • Minimum Necessary Requirement

            Covered Entity’s HIPAA
         Responsibilities– Section 164.530
    1. Institute a required level of security for PHI, including limiting
       disclosures of information to the minimum required for the
    2. Designate a privacy officer and contact person;
    3. Establish privacy and disclosure policies to comply with HIPAA;
    4. Train employees on privacy policies;
    5. Establish sanctions for employees who violate privacy policies;
    6. Establish administrative systems in relation to PHI that can
       respond to complaints, respond to requests for corrections of
       health information by a patient, accept requests not to disclose for
       certain purposes, track disclosures of health information, and
       mitigate unauthorized use or disclosures;

             Covered Entity’s HIPAA
           Responsibilities  (continued)
     7. Issue a privacy notice to patients concerning the use and
         disclosure of their PHI;
     8. Establish a process through an IRB (or privacy board)
         for a HIPAA review of certain research protocols;
     9. Include a detailed privacy provision in agreements with
         business associates (e.g., vendors, lawyers) who conduct
         functions for the covered entity that involve the use or
         disclosure of PHI; and
     10. Refrain from requiring individuals to waive their privacy
         rights as a condition of treatment, payment, or eligibility for

     An Individual’s HIPAA Privacy Rights
          – Sections 164.520 – 164.528
     HIPAA gives individuals certain rights regarding their
     PHI, including:
       • Right to notice of privacy practices;
       • Right to Access PHI;
       • Right to Amend PHI;
       • Right to Accounting of Disclosures; and
       • Right to Request Restrictions of Uses and

      Protected Health Information -- Section
         160.103 and 164.501 (definitions)
     “Individually identifiable health information” is information that
     is a subset of health information, including demographic
     information collected from an individual, and:
     (1) Is created or received by a health care provider, health plan,
          employer, or health care clearinghouse; and
     (2) Relates to the past, present, or future physical or mental
          health or condition of an individual; the provision of health
          care to an individual; or the past, present, or future payment
          for the provision of health care to an individual; and
          (i) That identifies the individual; or
          (ii) With respect to which there is a reasonable
              basis     to believe the information can be
12            used to   identify the individual.
                     Use and Disclosures
                          For Research
     HIPAA allows PHI to be used and/ or disclosed for research
     based on:
     1. A patient authorization,
     2. A waiver of patient authorization by an IRB (or privacy
     3. Qualifying as preparatory work for research purposes,
     4. The de-identification of a person's health information as
        defined by HIPAA,
     5. The de-identification through a limited data set,
     6. The individual being deceased, or
     7. An approval/waiver by the IRB or permission by the
        individual prior to April 14, 2003.
                          Authorization –
                   Sections 164.508 (generally)
                 (b)(3) and (c) (specific elements)
     PHI may be disclosed for research purposes with a HIPAA authorization
     under the following elements and process:
     • A description of the information to be used or disclosed in a specific and
       meaningful fashion;
     • The name or other specific identification of the person(s) or class of
       persons authorized to make the requested use or disclosure;
     • The name or other specific identification of the person(s) or class of
       persons to whom the covered entity may make the requested use or
     • A description of each purpose of the requested use or disclosure;
     • An expiration date / expiration event that relates to the purpose of the use
       or disclosure;

     • A statement of the individual's right to revoke the authorization in
       writing and the exceptions to the right to revoke, together with a
       description of how the individual may revoke the authorization;
     • A statement that information used may be subject to re-disclosure
       by the recipient and no longer be protected by this rule;
     • Signature of the individual and date, and if the authorization is
       signed by a personal representative of the individual, a description-
       of such representative's authority to act for the individual; and
     • Statement of the consequences to the individual of a refusal to
     • Written in plain language; and
     • Signed copy to the individual.

      Authorization For Psychotherapy Notes
       -- Sections 164.501 (definitions) and
        164.508(a)(2) and (b)(3)(ii) and (iii)
     Psychotherapy notes means:
     • notes recorded (in any medium) by a health care provider who
       is a mental health professional documenting or analyzing the
       contents of conversation during a private counseling session or
       a group, joint, or family counseling session and that are
       separated from the rest of the individual’s medical record.
     • But they EXCLUDE medication prescription and monitoring,
       counseling session start and stop times, the modalities and
       frequencies of treatment furnished, results of clinical test, and
       any summary of the following items: diagnosis, functional
       status, the treatment plan, symptoms, prognosis, and progress
       to date.

         Waiver of Authorization -- Section
             164.512(i)(1)(i) and (i)(2)
     In order to access PHI under a waiver of authorization for research,
     the IRB must make the following determinations:
     1. Use or disclosure involves no more than minimal risk to privacy
           for the individual based on:
     (i) a plan to protect patient identifier from improper use and
     (ii) a plan to destroy patient identifiers at the earliest opportunity; and
     (iii) adequate written assurances that protected health information will
           not be reused or disclosed to others except as required by law, for
           oversight of the research, or for other research that would be
           permitted by HIPAA;
     2. The research could not be practically conducted without the

                Waiver of Authorization
   3. The research could not be practically conducted without access to
      protected health information; and
   4. A brief description of the PHI necessary to do the Research (i.e.,
      minimum necessary; and
   5. The privacy risks are reasonable in relation to the anticipated
      benefits to the individuals and the importance of knowledge
      gained through research.
   • To document the waiver, the IRB must: (i) document
     the above determinations, (ii) identify the IRB and
     date of waiver, (iii) review either as regular or
     expedited, and (iv) have the documentation signed
     by the IRB chair, or other member designated by the
18   chair.
     Preparatory Work to Research -- Section

     For preparatory work, the researcher must submit a
     request documenting that:
     • use or disclosure is sought solely to review PHI as
       necessary to prepare a research protocol;
     • information will not be removed from the covered
       entity by the researcher during the review; and
     • PHI for which access is sought is necessary for
       research purposes.

       De-Identification -- Sections 164.502(d)
             and 164.514(a), (b) and (c)
     De-identified health information can be released for research use without patient
     authorization. PHI can be de-identified through 2 methods.
     • The first is through a general deletion of 18 specific identifiers. They are:
     1. Names;
     2. All geographic subdivisions smaller than a State, including street address, city,
        county, precinct, zip code, and their equivalent geocodes;
     3. All elements of dates (except year) for dates directly related to an individual,
        including birth date, admission date, discharge date, date of death; and all ages
        over 89;
     4. Telephone numbers;                     8. Medical record numbers;
     5. Fax numbers;                           9. Health plan beneficiary numbers;
     6. Electronic mail addresses;             10. Account Numbers;
     7. Social security numbers;               11. Certificate/license numbers;

     12. Vehicle identifiers and serial numbers, including license plate numbers;
     13. Device identifiers and serial numbers;
     14. Web Universal Resource Locators (URLs);
     15. Internet Protocol (IP) address numbers;
     16. Biometric identifiers, including finger and voice prints;
     17. Full face photographic images and any comparable images; and
     18. Any other unique identifying number, characteristic, or code (except code by
       covered entity to allow re-ID under certain requirements).
     Plus. The covered entity cannot have actual knowledge that the de-identified
     information could be used alone or in combination with other information to identify
     an individual.
     • The second method of de-identifying is for a person with knowledge/experience of
       statistical and scientific methods to apply them so that the risk is very small that the
       information could be used, alone or in combination with other reasonably available
       information, by an anticipated recipient to identify the individual.

       Limited Data Set -- Section 164.514 (e)
     A limited data set of PHI may not include any of the identifiers
     required for “de-identification” except for the following:
     • (part of) #2. town or city, State, and zip code;
     • #3. All elements of dates (except year) for dates directly related to
        an individual, including birth date, admission date, discharge date,
        date of death;
     • #18. Any other unique identifying number, characteristic, or code.
     • Note: The covered entity cannot have actual knowledge that the
        information could be used alone or in combination with other
        information to identify an individual.
     The covered entity must have a data use agreement with the recipient,
     whether internal or external, and must take steps to cure/ end
                    Chicken Or the Egg?
     A Protocol Director wishes to recruit 75 individuals for a
     clinical trial from patients who received a certain type of
     treatment for blocked arteries in the SHC cardiac cath lab
     between June 2002 and July 2003. They would receive a new
     medication under an IND that is suppose to prevent or reduce
     further blockage.

     Q#1. The PD first wishes to find out how many individuals
     received this treatment at SHC. The PD approaches SHC HIMS
     to run an electronic query for the time period using a particular
     CPT code. SHC runs it and finds that there are 200 such

     Q#2. The IRB approves the protocol, including a HIPAA
     authorization in the informed consent form. The PD goes back
     to SHC HIMS and asks for a query that will produce the names
     and addresses of the patients, medical records numbers, and a
     copy of the medical record. SHC asks for a signed
     authorization, because otherwise it would be providing PHI for
     research use.

     Q#3. What if the IRB requires that the recruitment be through
     the treating cardiologist; will that cardiologist’s use of the
     names and addresses of his/ her patients constitute a research
     use (or even a “marketing” use)?

     Q#4. What if the sponsor also wanted information (including
     PHI) about the individuals who were pre-screened by telephone
     but did not qualify for the clinical trial? The PD will not have an
     authorization signed by these individuals.
     Q#5. What if all the patients were the PD’s? What if the PD
     already had a separate research database with these patients in
     Q#6. If this was not a clinical trial but only involved the
     collection of existing data (e.g., lab values, sex) from the
     medical records without the names of the patients, could it be
     reviewed as exempt (category #4, existing data without

                 Deceased Individuals –
                Section 164. 512(i)(1)(iii)

     To use or disclosure PHI of deceased persons, the
     researcher must submit:
     • representation that the review is solely for research
       regarding decedents;
     • representation that the PHI for which access is
       sought is necessary for research purposes; and
     • any documentation requested by the covered entity
       of the death of the individuals.

      Approval Or Waiver Prior To April 14,
        2003 -- Section 164.532(a) and (c)
     A covered entity may use or disclose, for a specific
     research study, PHI that it created or received either
     before or after April 14, 2003, provided that
     • there is no revocation (e.g., of informed consent), and
     • that the covered entity has obtained, prior to April 14,
          2003, either:
     (1) The authorization or other express legal permission
          from an individual to use or disclose PHI for the
          research study;

            Approval Or Waiver Prior To
            April 14, 2003  (continued)
     (2) The informed consent of the individual to participate in
     the research study; or
     (3) A waiver, by an IRB, of informed consent for the
         research study, in accordance with the Common

     EXCEPT, a researcher must obtain an authorization, if
     informed consent is sought from an individual
     participating in the research study after April 14, 2003.

          Minimum Necessary -- Sections
      164.502(b) and 164.514(d)(3), (4) and (5)
     • The minimum necessary requirement does not apply
       to research under an authorization.
     • A cover entity may rely, if reasonable under the
       circumstances, on a requested disclosure as the
       minimum necessary for the stated purpose when
       documentation or representations provided by the
       researcher comply with the applicable requirements
       of a -- waiver of authorization, preparatory to
       research, or deceased individuals.

           HIPAA Privacy Rule Penalties
     • Criminal penalties (42 USC §1320d-6) – DOJ/U.S. Attorney
        • Knowingly – 1 year/$50,000
        • False pretenses – 5 years/$100,000
        • Malice, commercial advantage, personal gain – 10 years,
     • Civil penalties (42 USC §1320d-5) – HHS/Office of Civil
        • $100 each violation (transaction costs)
        • $25,000 annual limit for violating each “identical
          requirement or prohibition” – could be a big number.

     • Congressional humor? “Administrative Simplification Act”


To top